CVE-2022-2995

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

Published: Sep 19, 2022
Updated: May 9, 2024
CVE: CVE-2022-2995
GHSA: GHSA-phjr-8j92-w5v7
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-284
CWE-732

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
kubernetes / cri-o	1.25.0	1.25.0.x
github.com/cri-o/cri-o	-	1.25.0

https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909
https://github.com/cri-o/cri-o/pull/6159
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/

Vulnerability Database

289,599

CVE-2022-2995